[Openswan Users] Using XAuth

Paul Wouters paul at xelerance.com
Tue Jul 8 23:19:17 EDT 2008

> I have installed openswan on 2 linux machines. I am using one as the server and the other as the client and have got ipsec working.

I assume that is a test for something else? There is no reason to use XAUTH
between linux systems

> 4.       Configure single shared secret (PSK) in /etc/ipsec.secrets like
>  : PSK "a secret for the xauth users"

If you enroll this on a larger scale, the compromise of one client could
lead to the compromise of all clients (since anyone with the PSK can fake
to be the server to which you will give your xauth user/password credentials)

Using X.509 would be much better.

> [root]# ipsec auto --up aragon

> 108 "aragon" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> 010 "aragon" #2: STATE_MAIN_I3: retransmission; will wait 20s for response

The other end rejected the connection, check the logs on that end.


More information about the Users mailing list